Breach detection: Five fatal flaws and how to avoid them

Lior Div, Co-founder and CEO, Cybereason |
June 8, 2015

IT security is about monitoring what is occurring inside the firewall just as much (if not more) than what is outside trying to make its way in.

* Focusing on malware. Solution: Focus on the entire attack. Although detecting malware is important, solutions that mainly focus on detecting isolated activity on individual endpoints are unable to properly combat complex hacking operations. Instead, employ a more holistic defense. Leverage automation - analytics and threat intelligence in particular - in order to gain context on the entire malicious operation, as opposed to just the code. Keep in mind that your adversary is a person and malware is one of their most powerful tools, but one of many in their tool kits.

* Letting false alerts get the best of you. Solution: Automate investigation. Because many security solutions produce a large amount of sporadic alerts (many false) with little context, security teams spend endless hours manually investigating and validating alerts produced by their solutions. This lengthy process significantly prolongs security teams from addressing the real question is there a cyber-attack underway? Here's another case where the proper use of automation can dramatically increase productivity as well as detection and response times, which results in less costly and damaging attacks. If there are budgetary constraints that prevent the proper use of automation to aid you in this process, quantify the value the investment you are asking the company to make.

Like many aspects of IT, breach detection is part art, part science. However, what distinguishes a good analyst from a great one is how they think. Avoiding these misconceptions enable security teams to approach breach detection much more strategically and make better use of the resources at their disposal.